* Andres Freund (andres@2ndquadrant.com) wrote:
> On 2014-02-14 11:03:19 -0500, Stephen Frost wrote:
> > Also, all of the above ignores the pg_ident side of the house, which is
> > even worse as you need an entry for every user, period, if you're using
> > client-side SSL certificates or Kerberos/GSSAPI-based authentication
> > with full princ names.
>
> Well, there's regexes for mappings, that can often enough take care of
> most of that?
In some cases, yes, but certainly not all. Apologies for over-stating
the case, but I came from an environment where the Kerberos princs were
'm######', while the database users were all first-initial || last-name.
Also, the CN in an SSL certificate isn't likely to be what you want for
a username either, and a regexp isn't likely to help that either.
Thanks,
Stephen
